COLLOQUIUM Department of Computer Science and Engineering University of South Carolina Pyrite or Gold: It Takes More Than a Pick or Shovel John McHugh CERT Research Center Center for Computer and Communication Security Carnegie Mellon University Date: August 20, 2004 (Friday) Time: 3-4PM Place: Swearingen 1A03 (Faculty Lounge) Abstract Data mining and statistically based approaches to intrusion detection show some promise as useful tools, but many of the results obtained to date are unlikely to translate well into the field. In this talk, I will discuss some of the steps that must be taken to determine whether or not an approach that appears to be useful in a laboratory setting is likely to fare well in an uncontrolled environment. Perhaps the most important of these is the nature of the phenomena on which the detection claim is based. We have seen a large number of cases in which the discriminating factors turn out to be serendipitous rather than necessary or sufficient, i.e. there is not a necessary causal relationship between intrusive intent and the manifestation on which detection is based. The talk will discuss some interesting cases in detail and make arguments as to why the discriminating factors discovered are unlikely to hold up in practice. The talk will conclude with a general discussion of the nature of the Intrusion Detection problem as an exploration of spaces with high dimensionality and will make an attempt to establish a framework in which both necessary and sufficient conditions for the discovery of intrusive activities can be established. John McHugh is a senior member of the technical staff at the CERT Coordination Center, part of the SEI at CMU where he does research in survivability, network security, and intrusion detection. He was a professor and former chairman of the Computer Science Department at Portland State University in Portland, Oregon, where he held a Tektronix Professorship. His research interests include computer security, software engineering, and programming languages. He has previously taught at The University of North Carolina and at Duke University. He has been an active researcher in the application of formal methods to the construction of dependable and secure systems for many years. He was the architect of the Gypsy code optimizer and the Gypsy Covert Channel Analysis tool. Dr. McHugh received his PhD degree in computer science from the University of Texas at Austin. He has a MS degree in computer science from the University of Maryland, and a BS degree in physics from Duke University. He grew up in Durham, North Carolina, leaving when he graduated from Duke. Twenty years later, he returned, demonstrating that Thomas Wolfe was wrong. After another ten years in Durham, he moved to Portland, demonstrating, perhaps, that Wolfe knew what he was talking about after all.